Douglas Muth on 13 Oct 2008 19:40:27 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Tracking down a spammer - advice?

On Mon, Oct 13, 2008 at 10:34 PM, Marc Zucchelli <> wrote:
> The headers are below.  I noticed: qmail 3443 invoked by uid 65534.  It
> seems like there is a hijacked web form/php script.  Now how to track down
> something like that with about 15 different websites on the server and
> possibly thousands of php scripts.

So your box is, then?

If you think a script is being hijacked, you could do some
old-fashioned grepping, ala:

find /var/www --exec grep -i --with-filename mail\( {} \;

That would print all files with a call to the mail( function.  That
could be used to quickly narrow things down, and you could do a code
audit on the scripts in quesiton.

You could also grep through your access logs and look for any scripts
that might be accessed frequently.  Since there's an X-EN-OrigIP:
header present, you might be able to see what hits came from that IP
and determine the hijacked script that way.

-- Doug
Philadelphia Linux Users Group         --
Announcements -
General Discussion  --